On 15/12/17 00:43, William Denniss wrote: > On Fri, Dec 8, 2017 at 11:42 AM, Vladimir Dzhuvinov <vladi...@connect2id.com >> wrote: >> Hi, >> >> I just got a question on Twitter about the slow_down error: >> >> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.5 >> >> The question was why slow_down is communicated via HTTP status code 400 >> and not 429 (Too Many Requests). >> > We could, it seems to match the intent of that error code. Main reason it's > not like that so far is that 400 is the default for OAuth, I fear people > may not be checking for a 429. We don't strictly *need* the 429, since > we're returning data in machine readable format one way or another (i.e. > it's easy for the client to extract the "slow_down" response either way), > which differs from HTML over HTTP which is intended for end-user > consumption, making the specific status code more important. Yes, on a 400 clients will need to check the error JSON object anyway, so the "slow_down" cannot be missed. Whereas with 429 that becomes more likely.
+1 to return "slow_down" with status 400 as it is with the other OAuth error codes. Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
